F5 Nginx Plus vulnerabilities

CVE-2024-24990 [HIGH] CWE-416 CVE-2024-24990: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versio

CVE-2024-24989 [HIGH] CWE-476 CVE-2024-24989: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . NOTE: Software versions

CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2022-41742 [HIGH] CWE-787 CVE-2022-41742: NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a spe

CVE-2022-41741 [HIGH] CWE-787 CVE-2022-41741: NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a spec

CVE-2022-41743 [HIGH] CWE-787 CVE-2022-41743: NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or potential other impact using a specially crafted audio or video file. The issue affects only NGINX Plus when the hls directive is used in the configuration file.

CVE-2020-5864 [HIGH] CWE-295 CVE-2020-5864: In versions of NGINX Controller prior to 3 CVE-2020-5864: In versions of NGINX Controller prior to 3 In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. Affected Products: NGINX Controller, NGINX Plus Affected Versions: 1.0.1; 2.0.0 - 2.9.0; 3.0.0 - 3.3.0 F5 Advisory Articles: K27205552 F5 References: https://support.f5.com/csp/article/K27205552